All Apps and Add-ons

site value is not populating in SAWA 2.1.0 SplunkEnterprise 7.0.3

GDustin
Path Finder

I somehow got this to work on SAWA 1.7 months and months ago.
This time around I can not get site to populate.
[it seems like maybe the automatic lookup is not working;iis : LOOKUP-site, or the field alias iis : FIELDALIAS-host/cs_host AS host]

I have resorted to the test data in samples iis.log

Does any one know if this website config will work for the test data? or any other pointers?
key value source host
site testcom-some-concept iis.log testvadc-spk03.xxx

I tried to look very closely at the websites setup page;
"The "site" fields should match your domain name, i.e. "www.mydomain.com"."
So I tried setting the value to a similar value to cs_host for the test data; "site.supersimple.fr"

key value source host
site site.supersimple.fr iis.log testvadc-spk03.xxx
this is not working either

I've got the test data targeted as such:
eventtype=pageview site=* earliest=1536570057 latest=1536572457.001
does not work
eventtype=pageview earliest=1536570057 latest=1536572457.001
does work
tag=web earliest=1536570057 latest=1536572457.001
does work

I think if I can get a generate pages/sessions to work on the test data it should work on the rest of my data?[so that is what I was trying for at this point].

0 Karma
1 Solution

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi

New version of the app is now live which hopefully solve this issue.
https://splunkbase.splunk.com/app/2699

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

View solution in original post

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi

New version of the app is now live which hopefully solve this issue.
https://splunkbase.splunk.com/app/2699

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

0 Karma

GDustin
Path Finder

Splunk Common Information Model Splunk_SA_CIM 4.7.0

0 Karma

GDustin
Path Finder

Everything is appearing to line up; after gettting jbjerke · Mar 21 at 06:57 AM Props deployed from here;
https://answers.splunk.com/answers/727931/is-it-easy-to-ingest-advanced-iis-logs-into-the-sp.html

0 Karma

GDustin
Path Finder

...Got reemed out by Enterprise "X" Management for breaking their iis "compliance" alerts, but gosh darnit we got SAWA up; ...end-users are just resorting to adhoc dashboards.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...